Fake malware warning scams

A recent example of a full-screen browser window that appears to be a serious malware alert.

Web sites that make their money from advertising usually subscribe to one or more advertising providers, such as Google Adsense. There are many others, including some that push ads that are really just scams.

One popular type of scam ad takes the form of a malware warning, presented to the unsuspecting user in a full-screen web page that seems to lock out the user completely. The example above (provided recently by a client) appears to be from Microsoft, generated by Windows anti-malware software, and it includes what is supposedly a Microsoft phone number.

In reality, this is just a web page, generated by Javascript from an advertisement on a shady web site. The full screen effect is produced by your web browser’s built-in full-screen view feature, triggered by the ad. These messages are not reporting the presence of malware; they are intended to scare you into calling a phone number. Messages of this type are categorized as ‘scareware‘.

A Google search for the phone number in the example above shows that it’s definitely associated with support scams.

These fake alerts vary in appearance and quality. Some are more convincing than others. Many are based on real malware warnings. You can see other examples by searching Google Images for ‘fake malware warning’.

It’s important to understand that legitimate anti-malware software won’t ‘lock’ your computer when it detects malware, and it won’t insist that you call a phone number.

If you see one of these scary-looking screens, don’t panic. Obviously, don’t call the phone number shown on the screen. Nothing good will come from that. Try pressing the F11 key on your keyboard. This is the near-universal key that toggles full screen view in web browsers. If it is just a web page, pressing F11 will reveal your web browser’s user interface, and you should regain your bearings immediately. Close the tab, and/or close the browser.

Also, please reconsider visting any web site that’s operated by people who care so little for visitors that they are willing to inflict this kind of dangerous garbage on them, albeit indirectly.

More useful information about this from the Safety Detectives site.

Den Delimarsky: Windows Needs a Change in Priorities

In a recent post on his blog, Den Delimarsky explains why he’s disappointed with the direction Microsoft is going with Windows.

Anyone who reads my own posts about Windows will notice that we complain about the same things. Inconsistent user interface elements, disappearing functionality, changes that nobody wants, advertising, and privacy issues all plague Windows 11, just as they do with Windows 10. But with each new Windows release, the problems are only getting worse.

It’s a good read, and I recommend it to anyone who is considering upgrading to Windows 11. It may also be helpful for people who are stuck using Windows 11, in business and education environments. If you’re using Windows 11 and are only vaguely aware that something is rotten in Denmark, this article may clarify things for you.

Cisco Immunet anti-malware software

In brief: stay away from this software.

I’m always interested in evaluating anti-malware/antivirus software, especially when it claims to be ‘lightweight’. All too often, anti-malware software that’s configured to run in the background has a very noticeable effect on performance.

So I installed Cisco’s Immunet on my main Windows computer. About ten minutes later, I removed it.

The user interface is horrible, seeming more like a first-time coder might have produced it, rather than an organization with the resources of Cisco.

I was very careful to configure Immunet before I ran any scans. In particular, I configured it to ask me before quarantining any files. Imagine my surprise when on its initial scan, it went ahead and quarantined three executables, none of which were actually malware.

Of the three quarantined files, I was able to use Immunet to restore one. The others were irretrievable, and I had to reinstall the associated software. For one of them, I lost its settings as well.

Normally I would persist with an evaluation like this, to give it a thorough test. But really, having suffered this much in such a short space of time, why bother?

This is crappy software. Avoid at all costs.

Microsoft updates still breaking things

Is it just me, or is Microsoft actually getting worse at this? It seems that every month there are more horror stories about problems caused by MS software updates. Given that Microsoft is still pushing hard for all Windows updates to happen automatically, this is very troubling.

In the latest instance, updates pushed out for January’s Patch Tuesday caused some Windows servers to reboot continuously. For server admins, this is a nightmare scenario.

One could argue that since the problem only affected a specific subset of Windows servers, this was less serious than something that affects all Windows 10 users. But affected servers were potentially used by hundreds or even thousands of people, which amplifies the scope of the problem.

Microsoft’s approach to testing changed with the release of Windows 10, and they now rely on reports from regular users who have opted in to pre-release versions of Windows. It’s clear that this kind of testing is much less useful than proper, methodical testing. Whether Microsoft will eventually go back to proper testing remains unclear. Meanwhile, we all suffer. And wonder whether the next Patch Tuesday is going to be a day of disaster.

Ars Technica and The Verge have more.

Blocking IP ranges at the router

I’m sure that Russia is a wonderful place, and I’m sure that the vast majority of people there are lovely, and have no interest in harming anyone.

Sadly, from the perspective of a server operator, it sometimes feels that nothing good ever comes from Russia.

Being the diligent server operator that I (hopefully) am, I monitor things pretty closely. That includes network traffic coming from the Internet. Over the years, I’ve noticed that a huge proportion of the probes, DDoS attacks, spam, phishing, and hack attempts against my network come from IP addresses in Russia.

It’s gotten to the point where I am now actively blocking huge swathes of Internet addresses (IPs) that originate in Russia and neighbouring countries like the Ukraine.

Blocking those nasty IPs

I run a Linux web server, as well as several Internet-enabled services, at my home office. All of the communications between my server and the Internet pass through a router, making it the ideal place to block unwanted traffic for my entire network, which includes media computers, development systems, and the Windows computer on which I’m writing this.

I’m using a commercial router, but I’ve replaced the original firmware with Advanced Tomato. Doing this provides many benefits, including making it easier to manage the router’s firewall, IPTABLES. Here’s a typical IPTABLES command to block an IP address from the router’s Linux command line:
iptables -I FORWARD -s 185.219.52.90 -j DROP

The DROP directive tells the router to unceremoniously drop any traffic from the specified IP, without logging this action. Traffic can also be logged when it’s dropped, but excessive logging can cause performance problems and fill up logs with junk, so I just drop this traffic.

I issue commands like the one above at my router’s command line to block the traffic immediately, and then I update the router’s startup firewall script with the same command, so that it persists after the next router restart.

So there’s this one guy

There’s been one particularly persistent attacker in the last year or so. This person wants desperately to gain access to one of my Internet-accessible services, but he’s not particularly intelligent, because he keeps trying the same things over and over, in rapid succession. So much so, that at times the traffic he generates comes within shouting distance of a DDoS attack.

I started paying particular attention to traffic associated with a series of ports that are used by the service, and blocking the IP addresses at the other end of that traffic. Whereupon we embarked upon a long game of whac-a-mole, in which I blocked an IP or IP range, and the attacker moved to another host or VPN provider and resumed his attacks from there. It seems clear that this was all being done by one attacker, based on his quick reactions to my blocking.

This went on for several months, but now he appears to have given up. Or at least he’s moved on to other methods.

In the process of blocking all these IPs and networks, the attacker has also helpfully provided me with a list of VPN providers that should be blocked by, well, everyone. Everyone who doesn’t specifically need to allow them.

IP addresses and ranges I’m blocking

Almost all of these IPs and IP ranges are in Russia and the Ukraine. A few are elsewhere in Asia. Most of the ranges are VPN providers.
103.48.51.116
104.129.18.0/23
104.237.192.0/19
104.237.203.0/24
141.98.10.0/24
173.244.208.60
176.67.85.0/24
185.156.72.0/24
185.156.74.0/24
185.193.88.0/24
185.217.69.157
185.219.52.112
185.219.52.90
185.219.52.91
193.106.191.25
193.106.191.35
193.106.191.41
193.32.164.85
193.93.62.0/24
195.54.160.27
198.8.81.220
216.131.114.0/24
216.131.116.0/23
216.131.68.0/24
216.131.88.0/23
217.138.255.202
31.43.185.29
31.43.185.9
37.120.218.0/24
45.134.26.0/24
45.143.203.121
45.145.64.0/23
45.145.65.11
45.146.164.0/23
45.146.166.0/23
45.155.204.0/24
45.155.205.0/24
45.227.253.0/24
45.9.20.0/24
5.188.206.230
71.19.251.0/24
76.180.16.74
77.243.191.120
77.83.36.0/24
78.128.112.18
82.145.32.0/19
84.17.41.141
84.17.41.151
87.251.75.0/24
89.187.182.87
89.187.183.76
91.191.209.110
92.204.240.75
92.255.85.0/24
94.232.40.0/21
98.175.213.148

Here are a few other ranges I’m blocking for various reasons:

  • Hungarian ISP MAGYAR-TELEKOM-MAIN-AS IP range (unceasing garbage): 94.27.128.0/17
  • MediaLand BPH IP range (generally just horrible): 45.141.84.0/24
  • EE-GIGAHOSTINGSERVICES (constant email relay attempts): 176.111.173.0/24

Patch Tuesday for December 2021

Time for another thrilling game of I Hope These Critical Security Updates Don’t Break Anything On My Computer with your permanent host, Microsoft.

This month’s edition includes approximately thirty-seven updates, with fixes for eighty-eight vulnerabilities, in Office, Defender, Edge, SharePoint, Visual Studio, Visual Studio Code, and Windows.

The challenge of counting the number of updates and vulnerabilities each month isn’t getting any easier, as some Microsoft applications (especially Edge) now update themselves outside of the monthly cycle. The source of both information and confusion about Microsoft updates is the Security Update Guide.

Microsoft isn’t showing any signs of giving up their ultimate power over your PC, and will continue to install updates pretty much at their whim, for the foreseeable future. Those of us still running Windows versions that are unsupported (7, XP), and soon-to-be-unsupported (8.x) are starting to seem like the last holdouts in a battle that’s already lost. The battle for control over our own computers.

Or maybe that’s just hyperbole.

Regardless of the status of automatic updates on your version of Windows, at this time of the month it’s a good idea to head over to the Windows Control Panel (or Settings), find Windows Update, and check for new updates.

Patch Tuesday for November 2021

To paraphrase butcher Oscar Wilde: the only thing worse than having to install security updates every month is having no security updates at all. If you’re not getting a steady supply of security updates, your software is probably no longer being developed or supported. If you’re just choosing not to install the available updates, you’re asking for trouble. Either is bad, but at least you can do something about the latter.

It’s my duty to inform you that — at least by my count — Microsoft has made available this day approximately twenty-nine updates for Windows, Office, Edge, Visual Studio, Exchange Server, SharePoint, Visual Studio Code, and Windows Server. A total of fifty-five vulnerabilities are fixed by the updates.

The source of this information is Microsoft’s Security Update Guide (SUG). It’s a sluggish and weirdly complicated system to navigate, but does seem to contain the necessary information.

As usual, this month’s collection includes updates for Windows 7, but those updates remain tantalizingly out of reach for most Windows 7 users, because obtaining them involves entering into a special agreement with Microsoft that’s way too expensive for regular folks.

Windows 10 systems get the updates automatically, and Windows 8.1 users — if automatic updates are disabled — should navigate to the Windows Control Panel and Windows Update to install them.

Java 8 update 311

Oracle just released its quarterly Critical Patch Update Advisory for October 2021.

As usual, there’s a section in the advisory for Java. The details show that previous versions of Java, including Java 8 Update 301, have fifteen known security vulnerabilities.

Java: What is it and why do I need it?

There’s a new version of Java that addresses the vulnerabilities in version 8u301: Java 8 Update 311.

If Java is installed on your computer, it’s a good idea to keep it up to date. If you’re not sure whether Java is installed, go to the Windows Control Panel and look for a Java entry. If it’s not there, great! You don’t use (or apparently need) Java.

Otherwise, click the Java Control Panel entry and go to the Update tab. Click the Update Now button to start the update process.

Patch Tuesday for October 2021

Like clockwork, Microsoft has once again provided us with a month’s worth of new security updates.

According to Microsoft’s Security Update Guide, this month there are patches for one hundred and seven vulnerabilties, in Office (2013, 2016, and 2019), Edge, Exchange Server, SharePoint, Visual Studio, System Center, Windows (7, 8.1, 10, and 11) and Windows Server.

As usual, Microsoft is taunting Windows 7 users with updates for that O/S, because most of us regular folks can’t afford them.

Windows 8.1 users — of which I’m one of the very few remaining — can either enable automatic updates, or navigate the Start menu to Windows Update to install available updates manually.

Windows 10 users can still delay updates, though just how long a delay is allowed depends on the flavour of Windows 10 you’re running. Windows 10 Home doesn’t give you much to work with in that respect.

Since Windows 11 isn’t even officially released yet, it’s difficult to predict exactly how updates will be handled for that O/S. However, it’s a safe bet that updates will be shoved down our throats as they are with Windows 10.

Windows 11 workarounds

Windows 11 hasn’t even been released yet, and people are already looking for ways to work around some of the changes Microsoft has decided we really need.

First up, it’s the venerable Start menu, which for some reason Microsoft has decided to move from its traditional place at the bottom left of the display, to the bottom center. Perhaps because that’s the way macOS does it?

I have no problem with Microsoft making changes like these, as long as there’s a way to revert those changes. In this case, there’s no obvious way to do that, but helpful folks have found a workaround.

Next, it’s the incredibly annoying prompts, taskbar icons, alerts, and other associated distractions generated by Microsoft Teams. That software isn’t included with Windows 11, but Microsoft has packed the new O/S with what amounts to advertising for Teams. Again, helpful folks have figured out how to get rid of this crap.

Meanwhile, Mozilla has discovered how to get past the hurdles Microsoft erected to prevent Firefox from making itself the default web browser automatically. You’ve no doubt seen what is normally required to change the default browser on Windows 10 (which now affects Windows 11 as well): you’re forced to make the change manually.

Forcing the user to intervene in changing the default browser (and other applications) was added to Windows as a security measure, because otherwise malicious software could more easily take over affected applications. But Microsoft’s applications don’t seem to be affected by this restriction, making the whole thing seem more like Microsoft giving itself an unfair advantage.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.